Unverified Commit 1a5b6a47 authored Aug 19, 2020 by rickyniu Committed by Michael Bestas Jan 02, 2023

ANDROID: usb: gadget: f_mtp: Return error if count is negative



If the user passes in a negative file size in a int64,
this will compare to be smaller than buffer length,
and it will get truncated to form a read length that
is larger than the buffer length.

To fix, return -EINVAL if the count argument is negative,
so the loop will never happen.

Bug: 37429972
Bug: 161328074
(cherry-picked from commit 6ba119257516c87a577993487c0b5aaa1ab0c0a1)
Signed-off-by: rickyniu <rickyniu@google.com>
Change-Id: I8f055b0186931f1ebd222bc17bbfd96a7aedd459

parent 4ca330d4

drivers/usb/gadget/function/f_mtp.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -811,6 +811,11 @@ static void send_file_work(struct work_struct *data)
		offset = dev->xfer_file_offset;
		count = dev->xfer_file_length;

		if (count < 0) {
		dev->xfer_result = -EINVAL;
		return;
		}

		mtp_log("(%lld %lld)\n", offset, count);

		if (dev->xfer_send_header) {
		@@ -925,6 +930,11 @@ static void receive_file_work(struct work_struct *data)
		offset = dev->xfer_file_offset;
		count = dev->xfer_file_length;

		if (count < 0) {
		dev->xfer_result = -EINVAL;
		return;
		}

		mtp_log("(%lld)\n", count);
		if (!IS_ALIGNED(count, dev->ep_out->maxpacket))
		mtp_log("- count(%lld) not multiple of mtu(%d)\n",